Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the dns.interface configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
AnalysisAI
Remote command execution in Pi-hole FTL versions before 6.6.1 allows network-adjacent attackers with API access to inject malicious dnsmasq directives via unvalidated newline characters in the dns.interface configuration field, achieving arbitrary code execution when DHCP leases are requested. Deployments with no admin password (a documented default configuration) expose the configuration API without authentication, enabling unauthenticated remote exploitation. The Pi-hole project released version 6.6.1 with input validation that strips newline characters, and the fix commit (0c46e4ec7f) replaced validate_stub with validate_str_no_newline.
Technical ContextAI
Pi-hole FTL is the DNS and DHCP engine underlying Pi-hole ad-blocking deployments, which generates dnsmasq configuration files from user-controlled settings stored in /etc/pihole/pihole.toml. The vulnerability stems from CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers / Configuration Files). The dns.interface field accepted newline characters without sanitization, allowing injection of arbitrary dnsmasq directives such as dhcp-script=/tmp/malicious_payload within the 31-byte strncpy limit (e.g., wlan0\ndhcp-script=/tmp/p). The dnsmasq dhcp-script directive executes the specified script whenever a DHCP lease is assigned, creating a path from configuration injection to command execution. The FTL 6.6 config validation only verified syntactic correctness of generated dnsmasq configs, so injected valid directives passed checks. The attack chain requires enabling the DHCP server via the same API, making this a multi-step configuration manipulation attack that triggers on network DHCP activity rather than immediate code execution.
RemediationAI
Upgrade to Pi-hole FTL version 6.6.1 or later, released by the vendor with commit 0c46e4ec7fe57f762fce261625f2cf5d43806e6d that replaces validate_stub with validate_str_no_newline to strip newline characters from dns.interface input. Download from https://github.com/pi-hole/FTL/releases/tag/v6.6.1 and follow Pi-hole update procedures. If immediate patching is not feasible, set a strong admin password via pihole -a -p to require authentication for the configuration API, which converts the attack from unauthenticated (PR:N) to requiring low privileges (PR:L). Restrict network access to the Pi-hole web interface (typically TCP 80/443) and API to trusted management networks only using firewall rules or reverse proxy authentication - note this breaks legitimate remote administration and may complicate troubleshooting. Audit /etc/pihole/pihole.toml for unexpected newline characters or dhcp-script directives, and review dnsmasq configuration in /etc/dnsmasq.d/ for injected payloads. Disable the DHCP server feature if not required, though this does not prevent configuration injection, only the DHCP-based trigger mechanism. Monitor for unexpected process execution from dnsmasq parent processes.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27498